server {
    listen [::]:80;
    listen 80;

# FIXME: change domain name here (and also make sure you do the same in the next 'server' section)
    server_name social.example.org;

# redirect all traffic to HTTPS
    rewrite ^ https://$host$request_uri? permanent;
}

server {
# HTTPS is mandatory on GNU social unless you are using Tor network. Seriously. Set it up with a cert (any cert) before you run the install.
    listen [::]:443 ssl http2;
    listen 443 ssl http2;

# Root
# Change the path below to where you installed
# GNU social
    root /path/to/gnusocial/root;

# Server name
# Change "social.example.org" to your site's domain name
# GNU social MUST be installed in the domain root
    server_name social.example.org;

# SSL
# Uncomment and change the paths to setup
# your SSL key/cert. See https://cipherli.st/
# for more information
    ssl_certificate       ssl/certs/social.example.org.crt;
    ssl_certificate_key   ssl/private/social.example.org.key;

# Logs
# Uncomment and change the paths to setup
# logging
#access_log /path/to/access.log;
#error_log  /path/to/error.log;

# Index
    index index.php;

# PHP
    location /index.php {
        include fastcgi_params;
        include snippets/fastcgi-php.conf;

        fastcgi_pass unix:/var/run/php/php7.3-fpm.sock;
        fastcgi_param SCRIPT_FILENAME $request_filename;

        # Further optional configuration
        #fastcgi_buffer_size 128K;
        #fastcgi_buffers 4 256K;
        #fastcgi_busy_buffers_size 256K;
        #fastcgi_read_timeout 600s;
        #fastcgi_send_timeout 300s;
        #fastcgi_connect_timeout 75s;
        #http2_push_preload on;
    }

# Location
    location / {
        try_files $uri $uri/ @index_handler;
    }

# Fancy URLs
    error_page 404 @index_handler;
    location @index_handler {
        rewrite ^(.*)$ /index.php?p=$1 last;
    }

# Restrict access that is unnecessary anyway
    location ~ /\.(ht|git) {
        deny all;
    }

#
# Hardening (optional)
#
#    add_header Strict-Transport-Security "max-age=15768000; preload;";
#    add_header X-Content-Type-Options nosniff;
#    add_header Referrer-Policy strict-origin-when-cross-origin;
#    add_header Content-Security-Policy "default-src 'self' 'unsafe-inline'; frame-ancestors 'self'; form-action 'self'; style-src 'self' 'unsafe-inline'; img-src * blob: data:;";
#    add_header X-Permitted-Cross-Domain-Policies none;
#    add_header X-Robots-Tag all; # Not really hardening, just here for strictness purposes
#
#    client_max_body_size 15M;
#    client_body_buffer_size 128k;
#    gzip_vary on;
#
#    location ~* \.(?:css|js|woff|svg|gif|png|webp|ttf|ico|jpe?g)$ {
#        gzip on;
#        gzip_comp_level 4;
#        add_header Cache-Control "public";
#        expires 30d;
#        access_log off;
#        log_not_found off;
#    }
}
